AZLX-23-002580 - Amazon Linux 2023 must prevent files with the setuid and setgid bit set from being executed on the /boot/efi directory.

Information

The "nosuid" mount option causes the system not to execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for nonprivileged users to attain unauthorized administrative access.

Solution

Configure Amazon Linux 2023 so that the /boot/efi directory is mounted with the "nosuid" option.

Modify "/etc/fstab" to use the "nosuid" option on the "/boot/efi" directory.

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Amazon_Linux_2023_V1R2_STIG.zip

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-7(2), CAT|II, CCI|CCI-001764, Rule-ID|SV-274178r1120522_rule, STIG-ID|AZLX-23-002580, Vuln-ID|V-274178

Plugin: Unix

Control ID: 3285dd3073e2f1d76d62a3b4f754081810e216368f8449a56c28d3e8c4eef42c